Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
05-04-2010, 11:26 AM
|
#1
|
|
LQ Newbie
Registered: Feb 2005
Location: Alkaram Textiles Mills Pvt. Ltd. Karachi Pakistan
Posts: 3
Rep: 
|
Prevent user bypassing DansGuardian
I need urgent help
Configuration are follows
Proxy = Squid 3.1 running on port 8080 (Transparent)
(without http_port virtual etc. its running fine)
http_port 127.0.0.1:8080
If required I will post my configuration files as well
Filtering = Dansguardian 2.10 running on port 3128
LAN IP's = 192.168.0.0/255.255.0.0
eth0 = 192.168.0.47/255.255.0.0 LAN Interface
eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface)
As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS
IP Forwarding
Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf
because our LAN users need to access mail servers out side our LAN
Redirecting Port 80 traffic to 3128 through IP tables
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128
Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser
When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted
One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't.
Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis.
Thanks in advance
|
|
|
|
|
05-04-2010, 12:51 PM
|
#2
|
|
Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 11,777
|
Quote:
Originally Posted by Aatifali
I need urgent help
Configuration are follows
Proxy = Squid 3.1 running on port 8080 (Transparent)
(without http_port virtual etc. its running fine)
http_port 127.0.0.1:8080
If required I will post my configuration files as well
Filtering = Dansguardian 2.10 running on port 3128
LAN IP's = 192.168.0.0/255.255.0.0
eth0 = 192.168.0.47/255.255.0.0 LAN Interface
eth0:1 = 192.168.0.61/255.255.0.0 (Virtually External Interface)
As we have no dual interfaces on single machine, we have only gateway/firewall address with DNS
IP Forwarding
Enable IP forwarding by modifying the value of net.ipv4.ip_forward = 1 in /etc/sysctl.conf
because our LAN users need to access mail servers out side our LAN
Redirecting Port 80 traffic to 3128 through IP tables
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 8080 -j DNAT --to 192.168.0.47:3128
iptables -t nat -A PREROUTING -d 192.168.0.47 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -d 192.168.0.61 -p tcp --dport 80 -j REDIRECT --to-port 3128
Every thing working perfect filtering with Dansguardian and other things by enforcing proxy address in browser
When I configured browser with no proxy, and configure (192.168.0.47) as a gateway. Users are able to access those site which are restricted
One more thing sometimes its working with the above settings sometimes not. Means sometime it filter the browsing sometime it doesn't.
Could any one help me, it's the first time that I have raised a question on linuxquestion.org, because I have to resolve this issues on urgent basis.
Thanks in advance
|
First, this is not 'urgent' for anyone here. We volunteer our time, so if you need **URGENT** support, use a distro that you pay for, and they'll be there for you.
And if I'm understanding what you wrote...your proxy is working fine...except when you bypass it? Yep...that sounds about right. If you don't want people to get out, block any other path. |
|
|
0 members found this post helpful.
|
|
05-04-2010, 03:30 PM
|
#3
|
|
Member
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 593
Rep: 
|
Your network currently looks like:
Code:
Sys. Sys. Sys. Proxy Gateway
[] [] [] [] []
[ ] [ ] [ ] [ ] [ ]
|______|______|______|_____|
Figure 1: All systems on either the same segments, or multiple switched segments.
A solution could be:
Code:
Sys. Sys. Sys. Proxy Gateway
[] [] [] [] []
[ ] [ ] [ ] [ ] [ ]
|______|______|____| |_____|
Figure 2: Two segments are coming from Proxy and are used to provide an exclusive tunnel.
It is left as an exercise to the reader to come up with other ways of making this work, or implement this at will. |
|
|
|
|
05-05-2010, 02:55 AM
|
#4
|
|
LQ Newbie
Registered: Feb 2005
Location: Alkaram Textiles Mills Pvt. Ltd. Karachi Pakistan
Posts: 3
Original Poster
Rep:
|
Dear All,
Thanks for your help and assistance, Next time I will be careful about “URGENT”
The scenario here is
I need to provide internet access to our users transparently as they don't need to know about the proxy address. We have a router in place, through which I am accessing internet. Now I need to provide filtered internet to all of our users in the following way
[Internet]
| [Router/Gateway]
|
| [Squid/Dansguardian]
|
| [Client PCs]
PCs PCs PCs Proxy(Squid+Dansguardian) Gateway(Router)
[] [] [] [] []
[ ] [ ] [ ] [ ] [ ]
|______|_________|________________|___________________|
All are well connected with switches on a same segment.
Client PC's only has the access on Squid machine to get the internet. I want to do some magic with IP tables that the web traffic goes through DansGuardian---> Squid for filtration purpose. Remaining POP and SMTP traffic route through gateway without any interception.
Hope above will clear the situation and requirements
Once again thanks in advance
|
|
|
|
|
05-06-2010, 08:10 AM
|
#5
|
|
LQ Newbie
Registered: Feb 2005
Location: Alkaram Textiles Mills Pvt. Ltd. Karachi Pakistan
Posts: 3
Original Poster
Rep:
|
Thanks guys
I think i was unable to demonstrate my problem, But finally I got the solution
http://ubuntuforums.org/archive/index.php/t-479407.html |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 05:11 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
